Environment
Novell Open Enterprise Server 1 (OES 1) Support Pack 2 Linux
Novell Open Enterprise Server 2 (OES 2)
Novell SUSE Linux Enterprise Server 9 Support Pack 4
Novell SUSE Linux Enterprise Server 9 Support Pack 3
Novell Open Enterprise Server 2 (OES 2)
Novell SUSE Linux Enterprise Server 9 Support Pack 4
Novell SUSE Linux Enterprise Server 9 Support Pack 3
Situation
After updating to SLES 9 SP4, or certain updates with SLES 9 SP3, BIND will not load, with a similar error in /var/log/messages:
Any error message with the (check-names) is a match, and this document should be considered for a potential solution.
ER: zone example_ex/IN: loading master file master/example_ex: bad owner name (check-names)
Any error message with the (check-names) is a match, and this document should be considered for a potential solution.
Resolution
Several RFC's govern valid DNS record names. Some system administrators have named objects, zones, records, services and computers with invalid names. These names often contain invalid or illegal characters such as "_", which were previously ignored. A recent upstream patch of BIND (named) has changed the default behavior of ignoring these invalid names to failing preventing BIND from loading normally.
This issue is typically seen on OES 1 SP2 servers and clustered resources.
There are several options that can be taken to resolve this issu
option 1: remove invalid dns record names
For servers which are internet facing or have high security requirement, removing the invalid DNS names is recommended. This process will require planning in order to implement. If you elect to alter the invalid DNS names, records or zones, you can implement option 2 as a stop-gap procedure.
option 2: turn off name checking
BIND include a "check-name" option to remove name checking for DNS names, records and zones. In your named.conf (traditionally in /etc), place the following:
OES 2 and LDAP configured DNS caveaut: OES 2 DNS servers can pull the information from LDAP or eDirectory. The options have been reported to not work correctly when they are added via iManager. As a result, it is recommended that you put the options external to LDAP and then "include" the options.
This issue is typically seen on OES 1 SP2 servers and clustered resources.
There are several options that can be taken to resolve this issu
option 1: remove invalid dns record names
For servers which are internet facing or have high security requirement, removing the invalid DNS names is recommended. This process will require planning in order to implement. If you elect to alter the invalid DNS names, records or zones, you can implement option 2 as a stop-gap procedure.
option 2: turn off name checking
BIND include a "check-name" option to remove name checking for DNS names, records and zones. In your named.conf (traditionally in /etc), place the following:
check-names master ignore;This will instruct BIND to ignore any invalid names, zones or records allowing DNS to load normally. The other options are "warn" or "fail." If you elect to rename records, names or zones, you can use the "warn" option to help find records and services to rename.
check-names slave ignore;
check-names response ignore;
OES 2 and LDAP configured DNS caveaut: OES 2 DNS servers can pull the information from LDAP or eDirectory. The options have been reported to not work correctly when they are added via iManager. As a result, it is recommended that you put the options external to LDAP and then "include" the options.
- On each DNS server, create a file called "/etc/named.conf.options"
- Populate the "check-names" options above
- Add "/etc/named.conf.options" as an include, for example:include /etc/named.conf.options;
Additional Information
The following list is the governing RFC's for the DNS system. This list has been taken from WikiPedia's article on the Domain Name System:
- RFC 920 Specified original TLDs: .arpa, .com, .edu, .org, .gov, .mil and two-character country codes
- RFC 1032 Domain administrators guide
- RFC 1033 Domain administrators operations guide
- RFC 1034 Domain Names - Concepts and Facilities.
- RFC 1035 Domain Names - Implementation and Specification
- RFC 1101 DNS Encodings of Network Names and Other Types
- RFC 1123 Requirements for Internet Hosts -- Application and Support
- RFC 1912 Common DNS Operational and Configuration Errors
- RFC 1995 Incremental Zone Transfer in DNS
- RFC 1996 A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
- RFC 2136 Dynamic Updates in the domain name system (DNS UPDATE)
- RFC 2181 Clarifications to the DNS Specification
- RFC 2182 Selection and Operation of Secondary DNS Servers
- RFC 2308 Negative Caching of DNS Queries (DNS NCACHE)
- RFC 2317 Classless IN-ADDR.ARPA delegation
- RFC 2671 Extension Mechanisms for DNS (EDNS0)
- RFC 3696 Application Techniques for Checking and Transformation of Names
- RFC 4343 Domain Name System (DNS) Case Insensitivity Clarification
- RFC 4892 Requirements for a Mechanism Identifying a Name Server Instance
- RFC 5001 DNS Name Server Identifier Option (NSID)